| Subject | Re: security problem with user permission! |
|---|---|
| Author | Svein Erling Tysvær |
| Post date | 2006-02-20T15:44:52Z |
Sorry, Vincente, I think the ability for any logged in user to create
new objects is one of the weaknesses of Firebird.
Not that it cannot be avoided in most cases. E.g. where I work, users
don't know their own passwords. We encrypt the password and when
logging in to our applications, we encrypt what the user types. Not
knowing their own password, they can only use the applications, trying
to use other 3rd party tools to connect to any database would complain
about incorrect password. Of course, application programmers need to
know how to encrypt the passwords, but ordinary application users have
no way to create tables etc. in our database.
Another thing is that the passwords in Firebird are limited to eight
characters, so 'sysdbsim' would be enough for you to log in.
Set
new objects is one of the weaknesses of Firebird.
Not that it cannot be avoided in most cases. E.g. where I work, users
don't know their own passwords. We encrypt the password and when
logging in to our applications, we encrypt what the user types. Not
knowing their own password, they can only use the applications, trying
to use other 3rd party tools to connect to any database would complain
about incorrect password. Of course, application programmers need to
know how to encrypt the passwords, but ordinary application users have
no way to create tables etc. in our database.
Another thing is that the passwords in Firebird are limited to eight
characters, so 'sysdbsim' would be enough for you to log in.
Set
--- In firebird-support@yahoogroups.com, "juniorvf" wrote:
> Hello Fellows!
> I work on ministry of education of Brazilian government.
> I'm trying to use firebird 1.5.3 like a departmental database
> server instead of MS Sql Server 2000.
> But we are having a security problem with users permission!
>
> 1-I created a user SYSDBSIMAP_DEV, with password sysdbsimap_dev;
>
> 2-I revoked its permissions as listed below:
>
> 3-I created a new database named sysdbsimap_dev using the sysdba
> permission.
>
> 4-I generated the tables, procedures and several indexes on that
> database connected as sysdba.
>
> 5-Then i registered the database using the sysdbsimap_dev user.
>
> I noticed that the user sysdbsimap_dev doesn't have permission to
> alter the objects created by sysdba.
> Unfortunately, the user can create new objects on database( tables,
> procedures,etc)!
>
> How can I do to deny those permissions to user sysdbsimap_dev? I
> want the user only have permissions for insert, update, delete and
> execute procedures on my database.
>
> Please, help me!
> If I can't assure that an application user can not create objects on
> my database, my boss will stop to use firebird anymore! He will use
> postgres...
>
> My work environment is:
> 1. A dedicated server
> 2. Linux debian operational system.
> 3. Firebird 1.5.3 located on /opt/firebird
>
> Thanks,
> Vicente Ferreira Jr.